In SSL (Secure Sockets Layer) (https:) secure communications, the two ends must decide on a shared secret key without having arranged one in advance. The original method for doing that was called Diffie-Hellman. Alternatives include:
By default, Java no longer supports Diffie-Hellman. This means SSL will fail on sites that don’t support some alternative that Java supports. In theory, you can patch Java to make it work. I have not had success. The way I deal with it is to use Excelsior Jet which uses its own SSL implementation that supports Diffie-Hellmen. To enable it, you can make various patches:
file by changing the jdk.tls.disabledAlgorithms property.
# Insert this code into java.security to turn Diffie Hellman back on jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3, RC4 jdk.tls.legacyAlgorithms= \ K_NULL, C_NULL, M_NULL, \ RSA_EXPORT, \ RC4_128, RC4_40, DES_CBC, DES40_CBC
You can also adjust:
// increase limit of Diffie-Hellman key size to 1024 or 2048 System.setProperty( "jdk.tls.ephemeralDHKeySize", "2048" );
or similar.
Java 1.8 now supports Diffie-Hellman 2048-bit MODP, when enabled. It used to support only 512 through 1024 bit.
Diffie-Helman will fail when the remote site demands a key bigger than 2048 bits. In that case, you can compile with Jet which supports larger keys, or use BouncyCastle.
Diffie-Hellman also uses SHA digests which are usually 128, 256 or 384 bits long.
This page is posted |
http://mindprod.com/jgloss/diffiehellman.html | |
Optional Replicator mirror
|
J:\mindprod\jgloss\diffiehellman.html | |
Please read the feedback from other visitors,
or send your own feedback about the site. Contact Roedy. Please feel free to link to this page without explicit permission. | ||
Canadian
Mind
Products
IP:[65.110.21.43] Your face IP:[3.144.109.147] |
| |
Feedback |
You are visitor number | |